Learn Linux Series (#9) - e-mail server (Dovecot)
Learn Linux Series (#9) - e-mail server (Dovecot)
What Will I Learn?
- What is Dovecot
- How to install Dovecot
- How to configure Dovecot
- Creating certificates and keys
- How to add Dovecot to autostart
- Reading e-mails from the console
Requirements
- Linux system installed
- Basic knowledge of terminal operation
- Average knowledge of linux commands
- Motivation when something goes wrong
Difficulty
- Intermediate
- What is Dovecot
Dovecot is an open source IMAP and POP3 email server for Linux/UNIX-like systems, written with security primarily in mind. Dovecot is an excellent choice for both small and large installations. It's fast, simple to set up, requires no special administration and it uses very little memory.
Dovecot supports:
- IMAP, POP3, IPv6, SSL and TLS protocols;
- mbox boxes and Maildir;
- simultaneous access to mailboxes by other programs (thus it can work on NFS resources or clustered file systems);
- authentication mechanisms: PLAIN, LOGIN, CRAM-MD5, DIGEST-MD5, APOP, NTLM, GSS-SPNEGO, GSSAPI, RPA, OPT, SKEY;
- many databases storing credentials, e.g. PAM, system passwd files, LDAP, SQL databases (MySQL, PostgreSQL, SQLite) and others;
- mechanism of plugins that extend functionality (eg Quota, ACLs).
Dovecot has been designed and programmed especially with regard to safety issues. In order to support this thesis, the author offers a 1000€ prize for the person who will be the first to demonstrate a remotely exploitable security gap in Dovecot giving access to someone else's box without knowing the password . Timo Sirainen submitted the offer on January 22, 2006 and so far - despite finding various security-related errors in the program - the conditions of the competition were not met.
- How to install and configure Dovecot
First, we install Dovecot and openssl (if this package has not been installed before, because we will use it to encrypt connection data, etc.).
zypper in dovecot21 openssl
it is worth to create a backup copy of the configuration file:
cd /etc/dovecot
cp dovecot.conf dovecot.conf.backup
We create the initial configuration file by pattern:
doveconf -n > dovecot.conf-new
mv dovecot.conf-new dovecot.conf (do not create a file right away dovecot.conf: doveconf -n > dovecot.conf, because there will be errors regarding the lack of SSL certificates).
We edit the file (vi /etc/dovecot/dovecot.conf) and set / add the following options:
mail_location = maildir:~/Maildir #location of mailboxes
With this setting of mail_location, we delete or comment on the entire namespace inbox section (marked in black, because in this case we will not need it):
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = Drafts
}
mailbox Junk {
special_use = Junk
}
mailbox Sent {
special_use = Sent
}
mailbox "Sent Messages" {
special_use = Sent
}
mailbox Trash {
special_use = Trash
}
prefix =
}
login_greeting = My POP3 / IMAP server #information presented by dovecot after logging in (establishing the session) POP3
listen = * # listen on all network interfaces
protocols = "imap pop3" # serviced mail protocols
ssl = yes # enable ssl encryption
ssl_cert = # path to the certificate - do not forget about the beginning of the entry with the majority sign "<" otherwise you will see the following warnings in the logs: "Can not load ssl_cert: There is no valid PEM certificate. (You probably forgot '<' from ssl_cert = </ etc / dovecot / ssl / certyfikat.pem) "
ssl_key = # path to the key - note do not forget the beginning of the entry with the majority sign "<"
disable_plaintext_auth = yes # disable logging in with plain text (plain text - unencrypted).
Save the above configuration. Now, we will create a certificate and a key to which the above-mentioned configuration indicates.
mkdir /etc/dovecot/ssl
cd /etc/dovecot/ssl
openssl req -new -x509 -nodes -out certificate.pem -keyout key.pem -days 365
Enter your domain details, in particular pay attention to the option
"Common Name", which is intended to indicate the name of your domain.
Country Name (2 letter code) [AU]: EN # country
State or Province Name (full name) [Some-State]: Texas # province
Locality Name (eg, city) []: Glasgow # city
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Utopian-io # name of our company
Organizational Unit Name (eg, section) []: Programming # section / department of the company
Common Name (e.g. server FQDN or YOUR name) []: utopian.io # domain name
Email Address []: [email protected] # e-mail address for contacts regarding the certificate
We check the correctness of key generation with the command:
openssl rsa -in klucz.pem -check
RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
[...]
-----END RSA PRIVATE KEY-----
If you see such a message, we acknowledge that the key has been generated correctly.
Now check the certificate information:
openssl x509 -noout -text -in certyfikat.pem
the message should appear:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 16436464367657346376 (0xcf48ed216ab49e87)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=EN, ST=Texas, L=Glasgow, O=Utopian-io, OU=Programing, CN=utopian.io/[email protected]
Validity
Not Before: Mar 20 15:54:17 2018 GMT
Not After : Mar 19 15:54:17 2022 GMT
Subject: C=EN, ST=Texas, L=Glasgow, O=Utopian-io, OU=Programing, CN=utopian.io/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
[...]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
[...]
X509v3 Authority Key Identifier:
[...]
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
[...]
It looks like everything is OK. So we start Dovecot and add it to autostart:
service dovecot start
service dovecot status
chkconfig dovecot on
Let's try to send a message using SMTP
telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
ehlo utopian.io
250-mail.utopian.io
250-PIPELINING
250-SIZE
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: [email protected]
250 2.1.0 Ok
rcpt to: [email protected]
250 2.1.5 Ok
data
354 End data with.
Subject: Shipping test #enter
We're testing sending #enter messages
. # remember to put a full stop at the end of the message
250 2.0.0 Ok: queued as 2E23E1C0F15 #Announcement added to the delivery queue with ID 2E23E1C0F15
quit
221 2.0.0 Bye
Connection closed by foreign host.
- In that case, let's try to read this email from the console:
openssl s_client -connect localhost:995
[...] +OK Dovecot ready.
user test
+OK
pass test
+OK Logged in.
stat
+OK 1 486
list
+OK 1 messages:
1 486
.TEST TEST TEST!
retr 1 # shows the content of the ID 1 message
+OK 486 octets
Return-Path:
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from utopian.io (localhost [IPv6:::1])
by mail.utopian.io with ESMTP id 2E23E1C0F15
for ; Mon, 3 Aug 2015 12:57:13 +0200 (CEST)
Subject: Shipping test
Message-Id: <[email protected]>
Date: Mon, 3 Aug 2015 12:57:13 +0200 (CEST)
From: [email protected]
.TEST TEST TEST!
quit
+OK Logging out.
closed
Curriculum
- Part 1 - TCP/IP Computer Adaptation
- Part 2 - Proftpd management and configuration
- Part 3 - Introduction to programming
- Part 4 - e-mail server (Postfix)
- Part 5 - e-mail server (Exim)
- Part 6 - Attack Detection System Snort
- Part 7 - Defense against port scans PortSentry
- Part 8 - Intrusion detection system TripWire
Posted on Utopian.io - Rewarding Open Source Contributors
Your contribution cannot be approved because it does not follow the Utopian Rules.
Low quality. You were convicted of plagiarism.
You can contact us on Discord.
[utopian-moderator]
Hey @espoem, I just gave you a tip for your hard work on moderation. Upvote this comment to support the utopian moderators and increase your future rewards!